Description
Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18
Published: 2026-06-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated low‑privileged user can exploit incomplete input validation and improperly configured folder permissions to execute arbitrary code within Idira Privileged Session Manager (PSM). This flaw, classified as CWE‑22, can compromise system integrity and confidentiality.

Affected Systems

The vulnerability affects CyberArk Software’s Privileged Session Manager, also known as PSM Vault, in all releases before 15.0.3, 14.6.3, 14.2.5, and 14.0.5. Systems running any of these affected versions should be considered vulnerable until updated.

Risk and Exploitability

The CVSS v3 score is 8.7, indicating high severity. EPSS is not available and the issue is not listed in the CISA KEV catalog. An attacker would need valid credentials with low‑privilege but authenticated access to the PSM instance, after which the vulnerability can be triggered via crafted input to grant code‑execution capabilities.

Generated by OpenCVE AI on June 12, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the CyberArk security bulletin CA26-17 and CA26-18 to update the affected PSM components.
  • Upgrade the Privileged Session Manager to version 15.0.3 or a later release that includes the patch.
  • Verify that the file and directory permissions for the PSM installation have been corrected as recommended in the release notes and restrict low‑privileged user access accordingly.

Generated by OpenCVE AI on June 12, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cyberark
Cyberark privileged Session Manager
Vendors & Products Cyberark
Cyberark privileged Session Manager

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/U:Amber'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/RE:M/U:Amber'}


Thu, 11 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18
Title Idira Privileged Session Manager (PSM): Potential Code Execution due to an Incomplete Input Validation
First Time appeared Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company privileged Session Manager Vault
Weaknesses CWE-22
CPEs cpe:2.3:a:cyberark_software_a_palo_alto_networks_company:privileged_session_manager_vault:*:*:*:*:*:*:*:*
Vendors & Products Cyberark Software A Palo Alto Networks Company
Cyberark Software A Palo Alto Networks Company privileged Session Manager Vault
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/U:Amber'}


Subscriptions

Cyberark Privileged Session Manager
Cyberark Software A Palo Alto Networks Company Privileged Session Manager Vault
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-06-13T03:56:05.544Z

Reserved: 2026-05-08T23:00:57.503Z

Link: CVE-2026-45171

cve-icon Vulnrichment

Updated: 2026-06-12T13:38:35.221Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T22:16:57.140

Modified: 2026-06-12T15:30:26.567

Link: CVE-2026-45171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:23Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')